Skip to content

Commit

Permalink
Updated some nix config
Browse files Browse the repository at this point in the history
  • Loading branch information
Andrew Jeffery committed Aug 8, 2023
1 parent 6ef005a commit 9965f14
Show file tree
Hide file tree
Showing 8 changed files with 392 additions and 64 deletions.
42 changes: 30 additions & 12 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion flake.nix
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
{
description = "Confidential computing packages";

inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
# inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
inputs.nixpkgs.url = "github:rrbutani/nixpkgs/fix/llvm-15-libcxx-linker-script-bug";
inputs.flake-utils.url = "github:numtide/flake-utils";
inputs.nix-filter.url = "github:numtide/nix-filter";

Expand Down
4 changes: 2 additions & 2 deletions nix/az-dcap.nix
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
makeWrapper,
fetchurl,
lib,
openssl_1_1,
openssl,
}: let
fetchFromIntelGitHub = {path, ...} @ attrs:
fetchurl ({
Expand Down Expand Up @@ -44,7 +44,7 @@ in
};
nativeBuildInputs = [makeWrapper];
buildInputs = [
(curl.override {openssl = openssl_1_1;})
(curl.override {openssl = openssl;})
nlohmann_json
];

Expand Down
36 changes: 19 additions & 17 deletions nix/ccf.nix
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
{
fetchFromGitHub,
pkg-config,
cmake,
ninja,
stdenv,
openenclave,
libuv,
az-dcap,
sgx-dcap,
sgx-psw,
# az-dcap,
# sgx-dcap,
# sgx-psw,
makeWrapper,
protobuf,
openssl,
Expand All @@ -31,24 +32,25 @@ in
repo = "CCF";
name = "ccf-${version}";
rev = "ccf-${version}";
hash = "sha256-IG5lgtiq/VPTJm9hMYcj9JTxsapD7+H1aw5+b6pY0ko=";
hash = "sha256-CofADLExBTo3CH7iACKKNxMsSpy/ZBWBRaXc3ELHAd4=";
};
patches = [
patches/ccf-no-python.diff
patches/ccf-no-python-pb2.diff
# patches/ccf-no-python.diff
# patches/ccf-no-python-pb2.diff
patches/ccf-protoc-binary.diff
patches/ccf-ignore-submitter.diff
# patches/ccf-ignore-submitter.diff
];

nativeBuildInputs = [
cmake
ninja
pkg-config
libuv
protobuf
arrow-cpp
sgx-dcap
# arrow-cpp
# sgx-dcap
openenclave
makeWrapper
# makeWrapper
];

cmakeFlags = [
Expand All @@ -62,12 +64,12 @@ in
NIX_NO_SELF_RPATH = "1";

postInstall = ''
wrapProgram $out/bin/cchost \
--suffix LD_LIBRARY_PATH ':' "${az-dcap}/lib:${sgx-psw}/lib:${sgx-dcap}/lib"
wrapProgram $out/bin/keygenerator.sh \
--prefix PATH ':' "${openssl}/bin"
${toRemove}
# wrapProgram $out/bin/cchost \
# --suffix LD_LIBRARY_PATH ':' "''${az-dcap}/lib:''${sgx-psw}/lib:''${sgx-dcap}/lib"
#
# wrapProgram $out/bin/keygenerator.sh \
# --prefix PATH ':' "${openssl}/bin"
#
# ${toRemove}
'';
}
14 changes: 7 additions & 7 deletions nix/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,12 @@ pkgs.lib.makeScope pkgs.newScope (
};

ccf = self.callPackage ./ccf.nix {
stdenv = pkgs.llvmPackages_10.libcxxStdenv;
stdenv = pkgs.llvmPackages_15.libcxxStdenv;
};
ccf-sandbox = self.callPackage ./ccf-sandbox.nix {inherit ccf;};
lskv = self.callPackage ./lskv.nix {
inherit ccf;
stdenv = pkgs.llvmPackages_10.libcxxStdenv;
stdenv = pkgs.llvmPackages_15.libcxxStdenv;
};
lskv-sandbox = self.callPackage ./lskv-sandbox.nix {inherit ccf-sandbox lskv;};
packages = lskvlib.forAllPlatforms {
Expand All @@ -53,25 +53,25 @@ pkgs.lib.makeScope pkgs.newScope (
az-dcap = self.callPackage ./az-dcap.nix {};
sgx-dcap = self.callPackage ./sgx-dcap.nix {};

openenclave-version = "0.18.4";
openenclave-version = "0.19.3";
openenclave-src = pkgs.fetchFromGitHub {
owner = "openenclave";
repo = "openenclave";
rev = "v${openenclave-version}";
hash = "sha256-65LHXKfDWUvLCMupJkF7o7d6ljsO7nwcmQxRU8H2Xls=";
hash = "sha256-RN7Mq6RO09CZOEoi/nYpPfa7TT1I5FYKqET8wRXnIxU=";
fetchSubmodules = true;
};
lvi-mitigation = self.callPackage ./lvi-mitigation.nix {};
openenclave = self.callPackage ./openenclave.nix {
# Openenclave doesn't build with libcxx, for some reason.
inherit (pkgs.llvmPackages_10) stdenv;
stdenv = pkgs.llvmPackages_11.libcxxStdenv;
openssl = pkgs.openssl_1_1;
};

k6 = self.callPackage ./k6.nix {};

mkShell = args:
(pkgs.mkShell.override {
stdenv = pkgs.llvmPackages_10.libcxxStdenv;
stdenv = pkgs.llvmPackages_15.libcxxStdenv;
}) ({
NIX_CFLAGS_COMPILE = "-Wno-unused-command-line-argument";
NIX_NO_SELF_RPATH = "1";
Expand Down
4 changes: 2 additions & 2 deletions nix/lskv.nix
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
stdenv,
cmake,
sgx-dcap,
# sgx-dcap,
openenclave,
ninja,
protobuf,
Expand All @@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
cmake
ninja
protobuf
sgx-dcap
# sgx-dcap
(ccf.override {inherit platform;})
openenclave
];
Expand Down
45 changes: 22 additions & 23 deletions nix/openenclave.nix
Original file line number Diff line number Diff line change
Expand Up @@ -4,76 +4,75 @@
fetchzip,
openenclave-version,
openenclave-src,
lvi-mitigation,
cmake,
ninja,
perl,
openssl_1_1,
openssl,
}: let
sgx-h = fetchurl {
url = "https://raw.githubusercontent.com/torvalds/linux/v5.13/arch/x86/include/uapi/asm/sgx.h";
sha256 = "4764b8ce858579d99f1b66bb1e5f04ba149a38aea15649fff19f65f8d9113fd0";
};
compiler-rt = fetchzip {
url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/compiler-rt-10.0.1.src.tar.xz";
hash = "sha256-OErVbpYasfvBK0793ujshuHK4tbqq3grQHjYDpebmT4=";
url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-11.1.0/compiler-rt-11.1.0.src.tar.xz";
hash = "sha256-jycaXF3wGF85B2cwe+1q5fVPhR+/JnaZ+4A8y/qyBag=";
};
libcxx = fetchzip {
url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/libcxx-10.0.1.src.tar.xz";
sha256 = "sha256-/OhdYPlbNHMxX2VxlurkOspC1OyPDmyUqXvZKxzwkTg=";
url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-11.1.0/libcxx-11.1.0.src.tar.xz";
sha256 = "sha256-UoRPugdPj0FtKp79V1nljehWyhChxgUo3mb/Wyq/RIA=";
};
symcrypt = fetchzip {
url = "https://github.com/microsoft/SymCrypt/releases/download/v101.3.0/symcrypt_AMD64_oe_full_v101.3.0-31e06ae.tgz";
sha256 = "sha256-diA653HZ4Mn4JbeT6+U0anhP3ySVWZWjcXH7KVVkqkY=";
url = "https://github.com/microsoft/SymCrypt/releases/download/v103.0.1/symcrypt-linux-oe_full-AMD64-103.0.1-69dbff3.tar.gz";
sha256 = "sha256-VCJlAOnbY2kYlnNv6SxumD4BinntAvpBFkUs9hBxCY4=";
stripRoot = false;
};
in
stdenv.mkDerivation rec {
pname = "openenclave";
version = openenclave-version;
src = openenclave-src;
patches = [patches/openenclave.diff];
patches = [
# patches/openenclave.diff
patches/openenclave-pkgconfig.diff
];
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=RelWithDebInfo"
"-DFETCHCONTENT_SOURCE_DIR_COMPILER-RT-SOURCES=${compiler-rt}"
"-DFETCHCONTENT_SOURCE_DIR_LIBCXX_SOURCES=${libcxx}"
"-DFETCHCONTENT_SOURCE_DIR_SYMCRYPT_PACKAGE=${symcrypt}"
"-DCLANG_INTRINSIC_HEADERS_DIR=${toString stdenv.cc.cc.lib}/lib/clang/10.0.1/include"
"-DCLANG_INTRINSIC_HEADERS_DIR=${toString stdenv.cc.cc.lib}/lib/clang/${stdenv.cc.version}/include"
"-DENABLE_REFMAN=OFF"
"-DBUILD_TESTS=OFF"

# oeutil includes an enclave (oeutil_enc), which is signed with a random key.
# This breaks reproducible builds.
"-DBUILD_OEUTIL_TOOL=OFF"

"-DCMAKE_BUILD_WITH_INSTALL_RPATH:BOOL=ON"
"-DCMAKE_INSTALL_RPATH_USE_LINK_PATH:BOOL=ON"

"-DLVI_MITIGATION=ControlFlow"
# "-DCMAKE_BUILD_WITH_INSTALL_RPATH:BOOL=ON"
# "-DCMAKE_INSTALL_RPATH_USE_LINK_PATH:BOOL=ON"
];

preConfigure = ''
mkdir -p build/host build/3rdparty/symcrypt_engine
mkdir -p build/host
mkdir -p build/3rdparty/symcrypt_engine
cp ${sgx-h} build/host/sgx.h
ln -s ${compiler-rt} 3rdparty/compiler-rt/compiler-rt
ln -s ${libcxx} 3rdparty/libcxx/libcxx
ln -s ${symcrypt} build/3rdparty/symcrypt_engine/SymCrypt
ln -s ${lvi-mitigation}/bin build/lvi_mitigation_bin
patchShebangs tools/oeutil/gen_pubkey_header.sh
patchShebangs tools/oeapkman/oeapkman
substituteInPlace tools/oeutil/gen_pubkey_header.sh --replace '/var/tmp/oeutil_lock' '.oeutil_lock'
patchShebangs 3rdparty/openssl/append-unsupported
patchShebangs 3rdparty/musl/append-deprecations
'';

substituteInPlace pkgconfig/*.pc --replace \''${prefix}/@CMAKE_INSTALL_LIBDIR@ @CMAKE_INSTALL_LIBDIR@
substituteInPlace pkgconfig/*.pc --replace \''${prefix}/@CMAKE_INSTALL_INCLUDEDIR@ @CMAKE_INSTALL_INCLUDEDIR@
# since expansion isn't possible in cmakeFlags
cmakeFlags="$cmakeFlags -DLVI_MITIGATION_BINDIR=$PWD/build/lvi_mitigation_bin"
postFixup = ''
substituteInPlace $out/lib/${pname}/cmake/${pname}-*.cmake \
--replace 'set(_IMPORT_PREFIX' '#set(_IMPORT_PREFIX'
'';

nativeBuildInputs = [cmake ninja perl];
propagatedBuildInputs = [openssl_1_1];
propagatedBuildInputs = [openssl];

# Not sure if we want to keep this
dontAutoPatchelf = true;
Expand Down
Loading

0 comments on commit 9965f14

Please sign in to comment.